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Abstract. We present the guarded lambda-calculus, an extension of 
the simply typed lambda-calculus with guarded recursive and coinduc¬ 
tive types. The use of guarded recursive types ensures the productivity 
of well-typed programs. Guarded recursive types may be transformed 
into coinductive types by a type-former inspired by modal logic and 
Atkey-McBride clock quantification, allowing the typing of acausal func¬ 
tions. We give a call-by-name operational semantics for the calculus, and 
define adequate denotational semantics in the topos of trees. The ade¬ 
quacy proof entails that the evaluation of a program always terminates. 
We demonstrate the expressiveness of the calculus by showing the de¬ 
finability of solutions to Rutten’s behavioural differential equations. We 
introduce a program logic with Lob induction for reasoning about the 
contextual equivalence of programs. 


1 Introduction 

The problem of ensuring that functions on coinductive types are well-defined has 
prompted a wide variety of work into productivity checking, and rule formats for 
coalgebra. Guarded recursion [TO] guarantees productivity and unique solutions 
by requiring that recursive calls be nested under a constructor, such as cons 
(written ::) for streams. This can sometimes be established by a simple syntactic 
check, as for the stream toggle and binary stream function interleave below: 

toggle = 1 :: 0 :: toggle 

interleave (x :: xs) ys = x :: interleave ys xs 

Such syntactic checks, however, are often too blunt and exclude many valid 
definitions. For example the regular paperfolding sequence, the sequence of left 
and right turns (encoded as 1 and 0) generated by repeatedly folding a piece of 
paper in half, can be defined via the function interleave as follows m-- 

paperfolds = interleave toggle paperfolds 

This definition is productive, but the putative definition below, which also applies 
interleave to two streams and so apparently is just as well-typed, is not: 

paperfolds' = interleave paperfolds' toggle 
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This equation is satisfied by any stream whose tail is the regular paperfolding 
sequence, so lacks a unique solution. Unfortunately the syntactic productivity 
checker of the proof assistant Coq [12] will reject both definitions. 

A more flexible approach, first suggested by Nakano [15], is to guarantee 
productivity via types. A new modality, for which we follow Appel et al. ID by 
writing ► and using the name ‘later’, allows us to distinguish between data we 
have access to now, and data which we have only later. This ► must be used 
to guard self-reference in type definitions, so for example guarded streams of 
natural numbers are defined by the guarded recursive equation 

Str® = Nx^StrS 

asserting that stream heads are available now, but tails only later. The type of 
interleave will be Str® ►Str® — )• Str®, capturing the fact the (head of the) first 
argument is needed immediately, but the second argument is needed only later. 
In term definitions the types of self-references will then be guarded by ► also. 
For example interleave paperfolds^ toggle becomes ill-formed, as the paperfolds^ 
self-reference has type ►Str®, rather than Str®, but interleave toggle paperfolds 
will be well-formed. 

Adding ► alone to the simply typed A-calculus enforces a discipline more 
rigid than productivity. For example the obviously productive stream function 

every2nd (x :: x' :: xs) = x :: every2nd xs 

cannot be typed because it violates causality [14] : elements of the result stream 
depend on deeper elements of the argument stream. In some settings, such as 
reactive programming, this is a desirable property, but for productivity guaran¬ 
tees alone it is too restrictive. We need the ability to remove ► in a controlled 
way. This is provided by the clock quantifiers of Atkey and McBride [4], which 
assert that all data is available now. This does not trivialise the guardedness 
requirements because there are side-conditions controlling when clock quanti¬ 
fiers may be introduced. Moreover clock quantifiers transform guarded recursive 
types into first-class coinductive types, with guarded recursion defining the rule 
format for their manipulation. 

Our presentation departs from Atkey and McBride’s [4] by regarding the ‘ev¬ 
erything now’ operator as a unary type-former, written ■ and called ‘constant’, 
rather than a quantifier. Observing that the types UA —>■ A and UA —UUA 
are always inhabited allows us to see the type-former, via the Curry-Howard iso¬ 
morphism, as an S4 modality, and hence base our operational semantics on the 
established typed calculi for intuitionistic S4 (IS4) of Bierman and de Paiva [5] . 
This is sufficient to capture all examples in the literature, which use only one 
clock; for examples that require multiple clocks we suggest extending our calculus 
to a multimodal logic. 

In this paper we present the guarded A-calculus, gA, extending the simply typed 
A-calculus with coinductive and guarded recursive types. We define call-by-name 
operational semantics, which blocks non-termination via recursive definitions 
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unfolding indefinitely. We define adequate denotational semantics in the topos 
of trees [6] and as a consequence prove normalisation. We introduce a program 
logic LgX for reasoning about the denotations of gA-programs; given adequacy 
this permits proofs about the operational behaviour of terms. The logic is based 
on the internal logic of the topos of trees, with modalities >, □ on predicates, 
and Lob induction for reasoning about functions on both guarded recursive and 
coinductive types. We demonstrate the expressiveness of the calculus by showing 
the definability of solutions to Rutten’s behavioural differential equations [20] . 
and show that LgX can be used to reason about them, as an alternative to 
standard bisimulation-based arguments. 

We have implemented the gA-calculus in Agda, a process we found helpful 
when fine-tuning the design of our calculus. The implementation, with many 
examples, is available at http://cs.au.dk/~hbugge/gl-agda.zip, 

2 Guarded A-calculus 

This section presents the guarded A-calculus, written gA, its call-by-name oper¬ 
ational semantics, and its types, then gives some examples. 

Definition 2.1. gA -terms are given by the grammar 

t ::= a; I 0 I zero | succt | {t,t) | rr^t \ Xx.t \ tt \ fold t | unfold t 
I nextt I prevcr.f | boxcr.t | unboxt \t®t 

where d € { 1 , 2 }, x is a variable and a = [xi ^ ti,...,Xn ■(— tn], usually 
abbreviated [x ■<— t], is a list of variables paired with terms. 

prev[a; •<— t].t and box[ai ■<— t\.t bind all variables of x in t, but not in t. 
We write prevr.t for prev[T •(— x\.t where x is a list of all free variables oft. If 
furthermore t is closed we simply write prevt. We will similarly write hoxi.t and 
boxt. We adopt the convention that prev and box have highest precedence. 

We may extend gA with sums; for space reasons we leave these to App. |C| 

Definition 2.2. The reduction rules on closed gX-terms are 

T^d{ti,t2) >-^td (dG{l,2}) 

{Xx.ti)t 2 l-t ti[t 2 /x] 

unfold fold t ^ t 

prev[af ■(— t|.t i-^ prey t[t/x\ (x non-empty) 
prev next t ^ t 

unbox(box[a; ■(— t|.t) t[t/x\ 
nextti ® nextt 2 ^ next(tit 2 ) 

The rules above look like standard /3-reduction, removing ‘roundabouts’ of 
introduction then elimination, with the exception of those regarding prev and 
next. An apparently more conventional /3-rule for these term-formers would be 

prev[a; t|.(nextt) >->• t[t/x\ 
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but where x is non-empty this would require us to reduce an open term to derive 
nextt. We take the view that reduction of open terms is undesirable within a 
call-by-name discipline, so first apply the substitution without eliminating prev. 

The final rule is not a true /3-rule, as @ is neither introduction nor elimi¬ 
nation, but is necessary to enable function application under a next and hence 
allow, for example, manipulation of the tail of a stream. It corresponds to the 
‘homomorphism’ equality for applicative functors m- 

We next impose our call-by-name strategy on these reductions. 

Definition 2.3. Values are terms of the form 


{) I succ"zero | {t,t) \ Xx.t \ foldt | box cr.t | nextt 


where succ" is a list of zero or more succ operators, and t is any term. 

Definition 2.4. Evaluation contexts are defined by the grammar 

E ::= • I succ E \ iidE \ Et \ unfold E \ prev E \ unboxE | E ®t \ v ® E 

If we regard @ as a variant of function application, it is surprising in a 
call-by-name setting to reduce on both its sides. However both sides must be 
reduced until they have main connective next before the reduction rule for @ 
may be applied. Thus the order of reductions of gA-terms cannot be identified 
with the call-by-name reductions of the corresponding A-calculus term with the 
novel connectives erased. 

Definition 2.5. Call-by-name reduction has format E[t] i— E[u], where 1u 
is a reduction rule. From now the symbol i —will be reserved to refer to call-by¬ 
name reduction. We use for the reflexive transitive closure o/i—>■. 

Lemma 2.6. The call-by-name reduction relation i—^ is deterministic. 

Definition 2.7. gA-types are defined inductively by the rules of Fig. V is a 
finite set of type variables. A variable a is guarded in a type A if all occurrences 
of a are beneath an occurrence of ► in the syntax tree. We adopt the convention 
that unary type-formers bind closer than binary type-formers. 


V h Hi V h Ha 


V h Hi V h Ha 
V h Hi —>■ Ha 


V, aha Vhl VhN Vh Hi x Ha 


V,a h H 

- a guarded in H 

V h ga.A 


V h H 


• h H 


V h ►H 


V h BH 


Fig. 1. Type formation for the gA-calculus 
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Note the side condition on the /i type-former, and the prohibition on UA for 
open A, which can also be understood as a prohibition on applying ^.a to any a 
with ■ above it. The intuition for these restrictions is that unique fixed points 
exist only where the variable is displaced in time by a ►, but ■ cancels out this 
displacement by giving ‘everything now’. 

Definition 2.8. The typing judgments are given in Fig. [H There d G {1,2}, 
and the typing contexts F are finite sets of pairs x : A where x is a variable and 
A a closed type. Closed types are constant if all occurrences of ► are beneath an 
occurrence of ■ in their syntax tree. 


r,x ■. A\- X \ A r \- {) : 1 r \- zero : N 

F \- ti : A F \~ t2 '. B F \~ t : A\ x A2 


F \- {ti,t2) ■ A X B 
Fhti-. A^ B F\-t2: A 


F tit2 '. B 


F\-t:A 
F h next t : ►A 


F h TTdt : Ad 

F \- t : A[fj.a.A/a\ 
F h fold t : ga.A 


ri-t : N 
F h succ t : N 

F,x:A\-t:B 
F h Xx.t ■. A B 

F t ■. ga.A 
F h unfold t : A[fj,a.A/a] 


X\ . ^1, ■ ■ ■ , Xn . An I t . ^A 

F \- tl : Al • • • F \- tn ■ An 
F \- prev[a;i <— ti,... , Xn <- tn].t : A 


X\ . Ax , . . . , Xn . An I t . A 
F \- tl : Al ■ ■ ■ F \- tn '. An 


Al,..., An constant 


F h box[a:i ti,... ,Xn •<— tn].t : UA 

F\-ti-. >-{A B) F\-t2:>-A 
F \- tl ® t2 ’. ►B 


Al,..., An constant 


F\-t-.UA 
F h unboxt : A 


Fig. 2. Typing rules for the gA-calculus 


The constant types exist ‘all at once’, due to the absence of ► or presence 
of ■; this condition corresponds to the freeness of the clock variable in Atkey 
and McBride [4] (recalling that we use only one clock in this work). Its use as 
a side-condition to B-introduction in Fig. [5] recalls (but is more general than) 
the ‘essentially modal’ condition for natural deduction for IS4 of Prawitz [TH]. 
The term calculus for IS4 of Bierman and de Paiva [S], on which this calculus 
is most closely based, uses the still more restrictive requirement that ■ be the 
main connective. This would preclude some functions that seem desirable, such 
as the isomorphism Xn. box r.n : N —■ N. 
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In examples prev usually appears in its syntactic sugar forms 

xi \ Ai^... ,Xn '■ An 1“ t : ►A h t : ►A 

- Ai,constant - 

r,Xi : Ai, ... ,Xn ■ An h prev i.t ■. A F h prev t : A 

and similarly for box; the more general form is nonetheless necessary because 
(prev i.t)[u/a;] = prev[if u\.t. Getting substitution right in this setting is 
somewhat delicate. For example our reduction rule prev[ai ^ t\.t i— prevtp/al] 
breaches subject reduction on open terms (but not for closed terms). See Bier- 
man and de Paiva [5] for more discussion of substitution with respect to IS4. 

Lemma 2.9 (Subject Reduction). \- t : A and t u implies \- u : A. 

Example 2.10. (i) The type of guarded recursive streams of natural numbers, 
Str®, is defined as /xa. N x^a. These provide the setting for all examples 
below, but other definable types include infinite binary trees, as p,a. N x^ax 
►a, and potentially infinite lists, as fia. 1 -|-(N x^a). 

(ii) We define guarded versions of the standard stream functions cons (written 
infix as ::), head, and tail as obvious: 

:: = An.As. fold(n, s) : N —►Str® Str® 
hd® = As.tti unfold s : Str® —>■ N tl® = As. 7 x 2 unfold s :: Str® —)■ ►Str® 

then use the @ term-former for observations deeper into the stream: 

2nd® = As.(next hd®) ® (tl® s) : Str® ► N 
3rd® = As.(next 2nd®) @ (tl® s) : Str® —►► N • • • 

(iii) Following Abel and Vezzosi [H Sec. 3.4] we may define a fixed point combi- 
nator fix with type (►A —A) —A for any A. We use this to define a stream 
by iteration of a function: iterate takes as arguments a natural number and 
a function, but the function is not used until the ‘next’ step of computation, 
so we may reflect this with our typing: 

iterate = A/. fixXg.Xn.n :: {g ® {f ® nextn)) : ►(N —!> N) —N —> Str® 

We may hence define the guarded stream of natural numbers 
nats A iterate (next An. succn) zero . 

(iv) With interleave, following our discussion in the introduction, we again may 
reflect in our type that one of our arguments is not required until the next 
step, defining the term interleave as: 

fix Ag.As.At.(hd® s) :: {g ® t ® next(tl® s)) : Str® — t ►Str® -t Str® 

This typing decision is essential to define the paper folding stream: 

toggle = fixAs.(succzero) :: (next(zero ::s)) 
paperfolds = fix As. interleave toggle s 
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Note that the unproductive definition with interleave s toggle cannot be made 
to type check: informally, s : ►Str® cannot be converted into a Str® by prev, 
as it is in the scope of a variable s whose type Str® is not constant. To see 
a less articifial non-example, try to define a filter function on streams which 
eliminates elements that fail some boolean test. 

(v) /i-types are in fact unique fixed points, so carry both final coalgebra and 
initial algebra structure. To see the latter, observe that we can define 

foldr = f\xXgXf.Xs.f{hd^ s,g ® next / @ tl® s) : ((N —>■ A) —>■ Str® — A 

and hence for example map® h : Str® —>• Str® is foldr Ax.(/ itticc) :: (7r2x). 

(vi) The I type-former lifts guarded recursive streams to coinductive streams, as 
we will make precise in Ex. 13.41 Let Str = BStr®. We define hd : Str —>■ N and 
tl : Str —Str by hd = As. hd®(unboxs) and tl As. boxr. prev t. tl®(unboxs), 
and hence define observations deep into streams whose results bear no trace 
of ►, for example 2nd = As. hd(tl s) : Str —^ N. 

In general boxed functions lift to functions on boxed types by 

lim = Xf.Xx. box6.(unbox/)(unboxx) : ■(Al B) ^ UA UB 

(vii) The more sophisticated acausal function every2nd : Str —>■ Str® is 

fix Ag.As.(hd s) :: {g @ (next(tl(tl s)))). 

Note that it must take a coinductive stream Str as argument. The function 
with coinductive result type is then As. boxr. every2nd s : Str —Str. 

3 Denotational Semantics and Normalisation 

This section gives denotational semantics for gA-types and terms, as objects and 
arrows in the topos of trees [5] , the presheaf category over the first infinite ordinal 
Lo (we give a concrete definition below). These semantics are shown to be sound 
and, by a logical relations argument, adequate with respect to the operational 
semantics. Normalisation follows as a corollary of this argument. Note that for 
space reasons many proofs, and some lemmas, appear in App. [A] 

Definition 3.1. The topos of trees S has, as objects X, families of sets Xi, X 2 , 

... indexed by the positive integers, equipped with families of restriction functions 
rf : Xi+i —>■ Xi indexed similarly. Arrows f : X ^ Y are families of functions 
fi : Xi ^ Yi indexed similarly obeying the naturality condition fiorf = rj o/j+j. 

<S is a cartesian closed category with products defined pointwise. Its expo¬ 
nential A^ has, as its component sets {A^)i, the set of f-tuples (/i : Ai —>■ 
Bi,..., fi : Ai — Bi) obeying the naturality condition, and projections as re¬ 
striction functions. 

Definition 3.2. — The category of sets Set is a full subcategory of S via the 

functor A : Set —>■ S with {AZ)i = Z, r^^ = idz, and {Af)i = f. Objects 
in this subcategory are called constant objects. In particular the terminal 
object 1 of S is 4\{*} and the natural numbers object is Z\N; 


— A is left adjoint to homs{l, -); write ■ for A o homs{i, -) : S ^ S. unbox : 
I ids the eounit of the resulting comonad. Coneretely unboxi(x) = x,, 
i.e. the i’th eomponent o/x : 1 —> X applied to *; 

— ► : 5 ^ 5 is defined by (►^)i = {*} and (►X)i_|_i = Xi, with r^^ defined 
uniquely and r^^ = rf. Its action on arrows f : X ^ Y is (►/)! = 

and (►/)i+i = fi- The natural transformation next : ids ► has nexti 
unique and next^+i = r^ for any X. 

Definition 3.3. We interpet types in context X \- A, where V contains n free 
variables, as functors |V h A] : (5 °Px<S)"' —>■ S, usually written |A|. This mixed 
variance definition is necessary as variables may appear negatively or positively. 

— |V, a\- a\ is the projection of the objects or arrows corresponding to positive 
occurrences of a, e.g. |a](VF,X, y) = Y; 

Ill and |N| are the constant functors ^{*} and Z\N respectively; 

— \Ai X = [^il(^) X [^2l(W^) and likewise for S-arrows; 

— |Ai —>• yl2](iy) = ^ where W' is W with odd and even ele¬ 

ments switched to reflect change in polarity, i.e. {Xi, Yi,...)' = {Yi,Xi,...); 

— [►AIjIBvII are defined by composition with the functors fPef. \S.^) . 

— [[^a.A](iy) = Fix(F), where F : {S°p x S) ^ S is the functor given by 
F{X,Y) = |j 4](VF,X,y) and Fix(y) is the unique (up to isomorphism) X 
such that F{X, X) = X. The existence of such X relies on F being a suitably 
locally contractive functor, which follows by Birkedal et al m Sec. 4-5] and 
the fact that ■ is only ever applied to closed types. This restriction on ■ is 
necessary because the functor ■ is not strong. 

Example 3.4- [Str®]i = N*, with projections as restriction functions, so is an 
object of approximations of streams - first the head, then the first two elements, 
and so forth. |StrJ|i = at all levels, so is the constant object of streams. More 
generally, any polynomial functor F on Set can be assigned a gA-type Ap with 
a free type variable a that occurs guarded. The denotation of Upa.Ap is the 
constant object of the carrier of the final coalgebra for F [HI Thm. 2]. 

Lemma 3.5. The interpretation of a recursive type is isomorphic to the inter¬ 
pretation of its unfolding: |p,a. 2 l](ty) = |A[/ia.A/a]|(iy). 

Lemma 3.6. Closed constant types denote constant objects in S. 

Note that the converse does not apply; for example [►ll is a constant object. 

Definition 3.7. We interpret typing contexts F = xi •. Ai,...,Xn ■ An as 
S-objects |y] = |yli| X • • ■ X lAnI and hence interpret typed terms-in-context 
F \- t : A as S-arrows [T h < : A] : ITI —>• |A| (usually written as follows. 

|x| is the projection ITI x |A| —>• |A|. [zero] and |succt] are as obvious. 
Term-formers for products and function spaces are interpreted via the cartesian 
closed structure of S. Exponentials are not pointwise, so we give explicitly: 
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- |Aa;.tJ|i(7)j maps a i—>■ 1/^,0; : A\- t : i3]j(7 a), where ^\j is the result of 

applying restriction functions to j G |F]|i to get an element of ; 

- ltit2Mi) = (Pil*(7)*) o p2l*(7); 

[fold and [unfold t] are defined via composition with the isomorphisms of Lem. 
I.'?,51 |nextf] and |unboxf| are defined by composition with the natural transfor¬ 
mations introduced in Def. \3.2\ The final three cases are 

- Iprev[a;i -S- fi,.. .].f|i( 7 ) = [f|,+i(|fi]i(7),...), where [fili(7) e |Ai]i is 
also in |Ai]i+i by Lem. \S.6[ 

- |box[a:i <- fi,.. .]ilz(7)j = PL (Pili(7)) • ■ •); 'u-sing Lem. El' 

- Iti ® f 2 li is defined uniquely; |fi ®<2li+i(7) — (Pili+i(7)i) o [f2lz+i(7)- 

Lemma 3.8. Given typed terms in context xi : Ai, ... ,Xm ■ Am \- t : A and 
r \- tk : Ak for 1 < k < m, lt[t/x]j^ij) = [fli([fil*(7), ■ • ■, Ifml*(7))- 

Theorem 3.9 (Soundness). If tu then |f| = |u]. 

We now define a logical relation between our denotational semantics and 
terms, from which both normalisation and adequacy will follow. Doing this 
inductively proves rather delicate, because induction on size will not support 
reasoning about our values, as fold refers to a larger type in its premise. This 
motivates a notion of unguarded size under which 7l[/xa.j4/a] is ‘smaller’ than 
pa.A. But under this metric ►A is smaller than A, so next now poses a problem. 
But the meaning of ►A at index f + 1 is determined by A at index i, and so, as 
in Birkedal et al [7], our relation will also induct on index. This in turn creates 
problems with box, whose meaning refers to all indexes simultaneously, motivat¬ 
ing a notion of box depth, allowing us finally to attain well-defined induction. 


Definition 3.10. The unguarded size us of an open type follows the obvious 
definition for type size, except that us(^A) = 0. 

The box depth bd of an open type is 

— bd(T) = 0 for A G {a, 0, 1, N}; 

— bd(T X B) = min(bd(T), bd(i?)), and similarly for bd(A -G B); 

— b6{pa.A) = bd(7l), and similarly for bd(^T); 

— bd(B^) = bd(A) - 1 - 1 . 

Lemma 3.11. (i) a guarded in A implies us{A[B/a]) < us(7l). 

(ii) bd(i3) < bd(A) implies bd{A[B/a\) < bd(A) 

Definition 3.12. The family of relations Rf', indexed by closed types A and 
positive integers i, relates elements of the semantics a G |7l]i and closed typed 
terms t : A and is defined as 

— *Rft ijft^ {); 

— nR^t iff t succ” zero; 

— {ai,a 2 )Rf^^^^t ifft-^(ti,t 2 ) and OdRf'^td for d G {1,2}; 
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— Xx.s and for all j < i, aR^u implies fj{a)R^s[u/x]; 

— aRf°‘'^t iff t foldw and /ii(a)i?f where h is the “unfold” iso¬ 
morphism for the recursive type (ref. Lem. \3.5\} : 

— aR^^t iff t nextM and, where i> 1, aRf_iU. 

— iff t hoxu and for all j, OjR^u; 

This is well-defined by induction on the lexicographic ordering on box depth, then 
index, then unguarded size. First the ■ case strictly decreases box depth, and no 
other case increases it (ref. Lem. \3.11\(ii)\ for pL-types). Second the ► case strictly 
decreases index, and no other case increases it (disregarding W). Finally all other 
cases strictly decrease unguarded size, as seen via Lem. \3.11[fi)\ for pi-types. 

Lemma 3.13 (Fundamental Lemma). Take F = (xi : Ai,... ,Xm '■ Am), 
F h t : A, and \- tk : Ak for 1 < k < m. Then for all i, if auRf’^tk for all k, 
then 

iFht : A]i(a) Rf t[t/x]. 

Theorem 3.14 (Adequacy and Normalisation). 

(i) For all closed terms \- t : A it holds that 
(a) |l~ t : N]|i = n implies t succ^zero; 

(Hi) All closed typed terms evaluate to a value. 

Proof, {i) specialises Lem. 13.151 to closed types, (ii), (Hi) hold by (i) and inspec¬ 
tion of Def. 13.121 

Definition 3.15. Typed contexts with typed holes are defined as obvious. Two 
terms F \- t : A, F \- u : A are contextually equivalent, written t ~ctx u, if for all 
closing contexts C of type N, the terms C[t] and C[u] reduce to the same value. 

Corollary 3.16. |tj| = |m] implies t ~ctx u. 

Proof. |C[t]]] = by compositionality of the denotational semantics . Then 

by Thm. [Oil (hi I they reduce to the same value. 

4 Logic for Guarded Lambda Calculus 

This section presents our program logic LgA for the guarded A-calculus. The 
logic is an extension of the internal language of S |6I9) . Thus it extends multi- 
sorted intuitionistic higher-order logic with two propositional modalities t> and 
□, pronounced later and always respectively. The term language of LgX includes 
the terms of gA, and the types of LgA include types definable in gA. We write f2 
for the type of propositions, and also for the subobject classifier of S. 

The rules for definitional equality extend the usual ftrj-lsLWS for functions and 
products with new equations for the new gA constructs, listed in Fig. [3] 

Definition 4.1. A type X is total and inhabited if the formula Total (A) = 
Va; : ►A, 3x' : A, next(a;') =^x x is valid. 
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r \- t ■. A [^a.A/ ol\ 
r h unfold(fold t) = t 


r \~ t \ ^d.A r \- ti \ A — )■ H r \~ t2A 

r h fold(unfold t) = t F \- nextti ® nextt2 = next(lii2) 


A Fm 

F h prev[a; <— t].(nextl) = t [t/x] 


Fm\-t:>-A Fht-.Fm 
F h next (prev[a; t].t) = t [t/x] 


Fm\-t: A F\-t-. Fu 
F h unbox(box[a; ■<— t].t) = t [F/a;] 


Fu\-t-.mA F\-t-. Fm 
F h box[a; •<— t\. unbox! = t \t/x'\ 


Fig. 3. Additional equations. The context Fm is assumed constant. 


All of the gA-types defined in Sec. [2] are total and inhabited (see App.|E]for a 
proof using the semantics of the logic), but that is not the case when we include 
sum types as the empty type is not inhabited. 

Corresponding to the modalities ► and ■ on types, we have modalities > 
and □ on formulas. The modality > is used to express that a formula holds only 
“later”, that is, after a time step. It is given by a function symbol > : C —17. 
The □ modality is used to express that a formula holds for all time steps. Unlike 
the > modality, □ on formulas does not arise from a function on 17 [5]. As with 
box, it is only well-behaved in constant contexts, so we will only allow □ in such 
contexts. The rules for \> and □ are listed in Fig. SI 


r I H, ^ h 0 r, x : A I 3j/ : y, > 2 /) h > {3y : U, 0(x, j/)) ^ ^ 

F,x-.X\ >(V 2 / : Y,<j>{x,y)) h Vj/ : y,>0(x,2/) F \ S <t> 

*G{A,V,^} r I ^-.0 h F\<j)'rUil) F\<j>'r'tP 

F I + F\(j)\-aip F I h Ip r I □ h□ 7/) 

- - - 

F \ D(j) 4> F ^FWAcj) Vx, y \ X. t>{x =x y) next x next y 


Fig. 4. Rules for l> and □. The judgement F \ S \- (j) expresses that in typing context 
F, hypotheses in S prove 0. The converse entailment in V[> and 3[> rules holds if Y is 
total and inhabited. In all rules involving the □ the context F is assumed constant. 


The [> modality can in fact be defined in terms of lift : ►C 17 (called succ 
by Birkedal et al i) as > = lift o next. The lift function will be useful since it 
allows us to define predicates over guarded types, such as predicates on Str®. 

The semantics of the logic is given in S; terms are interpreted as morphisms 
of S and formulas are interpreted via the subobject classifier. We do not present 
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the semantics here; except for the new terms of gA, whose semantics are defined 
in Sec. [H the semantics are as in [618] . 

Later we will come to the problem of proving x =mA y from unboxx =a 
unbox 2 /, where x,y have type MA. This in general does not hold, but using the 
semantics of LgX we can prove the proposition below. 

Proposition 4.2. The formula □(unboxx =a unboxy) => x =mA V valid. 

There exists a fixed-point combinator of type (►A -A A) A for all types 
A in the logic (not only those of in gA) [6l Thm. 2.4]; we also write fix for it. 

Proposition 4.3. For any term f : ►A -A A we have fix/ / (next(fix/)) 
and, if u is any other term such that /(nextn) =a u, then u =a fix/. 

In particular this can be used for recursive definitions of predicates. For instance 
if P : N —^ 17 is a predicate on natural numbers we can define a predicate Pstrs 
on Str® expressing that P holds for all elements of the stream: 

Pstrn — fix Ar.Axs.P(hd® xs) A lift (r @ (tl®xs)) : Str® —17. 

The logic may be used to prove contextual equivalence of programs: 

Theorem 4.4. Let ti and t 2 be two gA terms of type A in context P. If the 
sequent P | 0 h =a ^2 is provable then ti and t 2 are contextually equivalent. 

Proof. Recall that equality in the internal logic of a topos is just equality of 
morphisms. Hence ti and t 2 denote same morphism from P to A. Adequacy 
(Cor. 13.161) then implies that H and t 2 are contextually equivalent. 

Example f.5. We list some properties provable using the logic. Except for the 
first property all proof details are in App. |B] 

(i) For any f : A ^ B and g : B ^ C we have 

(map® /) o (map® g) map®(/ o g). 

Unfolding the definition of map® from Ex. \2.10( vi] and using /3-rules and 
ProD. H31 we have map® /xs = / (hd® xs):: (next(map® /)@ (tl® xs)). Equality 
of functions is extensional so we have to prove 

= Vxs : Str®, map® / (map® y xs) =stre rnap®(/ o g) xs. 

The proof is by Lob induction, so we assume and take xs : Str®. Using 
the above property of map® we unfold map® / (map®yxs) to 

/ (y (hd® xs)) :: (next(map® /) @ ((next(map® y)) ® tl® xs)) 

and we unfold map®(/ o y) xs to / (y (hd® xs)) :: (next(map®(/ o y)) (g) tl® xs). 
Since Str® is a total type there is a xs' : Str® such that nextxs' = tl®xs. 
Using this and the rule for ® we have 

next(map® /) ® ((next(map® y)) ® tl® xs) =^stre next(map® /(ma p®yxs')) 

and next(map®(/oy))®tl® xs =^stre next(map®(/oy) xs'). From the induction 
hypothesis we have >(map®(/o y) xs' =strs map® / (map® y xs')) and so 
rule concludes the proof. 






13 


(ii) We can also reason about acausal functions. For any n : N, / : N —N, 

every 2 nd(box l. iterate (next /) n) =strs iterate (next /^) n, 

where is Xm.f {f m). The proof again uses Lob induction. 

(iii) Since our logic is higher-order we can state and prove very general properties, 
for instance the following general property of map 

VP, Q : (N ^ 12), V/ : N ^ N, (Vx : N, P(x) ^ Q(/(x))) 

=> Vxs : Str®, Pstrg(xs) => (3stri!(map®/xs). 

The proof illustrates the use of the property lifto next = >. 

(iv) Given a closed term (we can generalise to terms in constant contexts) / of 
type A ^ B we have box/ of type ■(A —)• B). Define C{f) = lim(box/) 
of type UA UB. For any closed term f : A ^ B and x : MA we can 
then prove unbox(£(/)x) =b /(unboxx). Then using Prop. IT^ we can, for 
instance, prove £(/ o g) = C{f) o C{g). 

For functions of arity k we define using C, and analogous properties 
hold, e.g. we have unbox(£ 2 (/) v) = / (unboxx) (unbox j/), which allows us 
to transfer equalities proved for functions on guarded types to functions on 
■ ’d types; see Sec.^for an example. 

5 Behavioural Differential Equations in gA 

In this section we demonstrate the expressivity of our approach by showing how 
to construct solutions to behavioural differential equations |2n] in gA, and how 
to reason about such functions in LgX, rather than with bisimulation as is more 
traditional. These ideas are best explained via a simple example. 

Supposing addition : N —^ N N is given, then pointwise addition of 
streams, plus, can be defined by the following behavioural differential equation 

hd(plus(Ti 0 - 2 ) = hd cTi -f hd a 2 tl(pluscri 0 - 2 ) = plus(tl ai) (tl 0 - 2 ). 

To define the solution to this behavioural differential equation in gA, we first 
translate it to a function on guarded streams plus® : Str® ^ Str® —^ Str®, as 

plus® = fix A/.Asi.As 2 .(hd® si + hd® S 2 ) :: (/ ® (tl® si) ® (tl® S 2 )) 

then define plus : Str —^ Str —!► Str by plus = £ 2 (plus®). By Prop. IT^ we have 

plus® = Asi.As 2 -(hd® Si -I- hd® S 2 ) :: ((next plus®) ® (tl® si) ® (tl® S 2 )). (1) 

This definition of plus satisfies the specification given by the behavioural dif¬ 
ferential equation above. Let (Ti,cr 2 : Str and recall that hd — hd® oAs. unboxs. 
Then use Ex. ivll and equality (HJ to get hd(plus(Ticr 2 ) = hd cti -I- hdcr 2 - 
For tl we proceed similarly, also using that tl®(unboxcr) = next(unbox(tl cr)) 
which can be proved using the /3-rule for box and the 77 -rule for next. 
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Since plus® is defined via guarded recursion we can reason about it with Lob 
induction, for example to prove that it is commutative. Ex. l4.511ivll and Prop.|42] 
then immediately give that plus on coinductive streams Str is commutative. 

Once we have defined plus® we can use it when defining other functions on 
streams, for instance stream multiplication O which is specified by equations 

hd(cri O CT2) = (hd (Ti) • (hd 0-2) tl(cri O <72) = (p(hd cti) (g) (tl 0-2)) © ((tl cti) © (T2) 

where p{n) is a stream with head n and tail a stream of zeros, and ■ is multipli¬ 
cation of natural numbers, and using © as infix notation for plus. We can define 
©s : Str® Str® Str® by ©® = 

fix A/.Asi.As 2- ((hd® si) • (hd® S2)):: 

(next plus® ®{f ® next i®(hd® si) ® tl® S2) ® (/ ® tl® si @ next S2)) 

then define © = £2 (©®). It can be shown that the function © so defined satisfies 
the two defining equations above. Note that the guarded plus® is used to define 
©®, so our approach is modular in the sense of |16j . 

The example above generalises, as we can show that any solution to a be¬ 
havioural differential equation in Set can be obtained via guarded recursion 
together with Ck ■ The formal statement is somewhat technical and can be found 
in App. [D] 


6 Discussion 

Following Nakano [18], the ► modality has been used as type-former for a 
number of A-calculi for guarded recursion. Nakano’s calculus and some succes¬ 
sors p ro permit only causal functions. The closest such work to ours is that 
of Abel and Vezzosi |5], but due to a lack of destructor for ► their (strong) 
normalisation result relies on a somewhat artificial operational semantics where 
the number of nexts that can be reduced under is bounded by some fixed natural 
number. 

Atkey and McBride’s extension of such calculi to acausal functions |4] forms 
the basis of this paper. We build on their work by (aside from various minor 
changes such as eliminating the need to work modulo first-class type isomor¬ 
phisms) introducing normalising operational semantics, an adequacy proof with 
respect to the topos of trees, and a program logic. 

An alterative approach to type-based productivity guarantees are sized types, 
introduced by Hughes et al [13] and now extensively developed, for example 
integrated into a variant of System [T]. Our approach offers some advantages, 
such as adequate denotational semantics, and a notion of program proof without 
appeal to dependent types, but extensions with realistic language features (e.g. 
following Mpgelberg m) clearly need to be investigated. 





15 


Acknowledgements 

We gratefully acknowledge our discussions with Andreas Abel, Tadeusz Litak, 
Stefan Milius, Rasmus M0gelberg, Filip Sieczkowski, and Andrea Vezzosi, and 
the comments of the reviewers. This research was supported in part by the 
ModuRes Sapere Aude Advanced Grant from The Danish Council for Indepen¬ 
dent Research for the Natural Sciences (FNU). Ales Bizjak is supported in part 
by a Microsoft Research PhD grant. 

References 

1. Abel, A., Pientka, B.: Wellfounded recursion with copatterns: A unified approach 
to termination and productivity. In: ICFP. pp. 185-196 (2013) 

2. Abel, A., Vezzosi, A.: A formalized proof of strong normalization for guarded re¬ 
cursive types. In: APLAS. pp. 140-158 (2014) 

3. Appel, A.W., Mellies, P.A., Richards, C.D., Vouillon, J.: A very modal model of a 
modern, major, general type system. In: POPL. pp. 109-122 (2007) 

4. Atkey, R., McBride, C.: Productive coprogramming with guarded recursion. In: 
ICFP. pp. 197-208 (2013) 

5. Bierman, G.M., de Paiva, V.C.: On an intuitionistic modal logic. Studia Logica 
65(3), 383-416 (2000) 

6. Birkedal, L., Mpgelberg, R.E., Schwinghammer, J., Stpvring, K.: First steps in 
synthetic guarded domain theory: step-indexing in the topos of trees. LMCS 8(4) 
( 2012 ) 

7. Birkedal, L., Schwinghammer, J., Stpvring, K.: A metric model of lambda calculus 
with guarded recursion. In: FICS. pp. 19-25 (2010) 

8. Bizjak, A., Birkedal, L., Miculan, M.: A model of countable nondeterminism in 
guarded type theory. In: RTA-TLCA. pp. 108-123 (2014) 

9. Clouston, R., Gore, R.: Sequent calculus in the topos of trees. In: FoSSaCS (2015) 

10. Coquand, T.: Infinite objects in type theory. In: TYPES, pp. 62-78 (1993) 

11. Endrullis, J., Grabmayer, C., Hendriks, D.: Mix-automatic sequences (2013), Fields 
Workshop on Combinatorics on Words, contributed talk. 

12. Gimenez, E.: Codifying guarded definitions with recursive schemes. In: TYPES, 
pp. 39-59 (1995) 

13. Hughes, J., Pareto, L., Sabry, A.: Proving the correctness of reactive systems using 
sized types. In: POPL. pp. 410-423 (1996) 

14. Krishnaswami, N.R., Benton, N.: Ultrametric semantics of reactive programs. In: 
Lies. pp. 257-266 (2011) 

15. McBride, C., Paterson, R.: Applicative programming with effects. J. Funct. Pro¬ 
gramming 18(1), 1-13 (2008) 

16. Milius, S., Moss, L.S., Schwencke, D.: Abstract GSOS rules and a modular treat¬ 
ment of recursive definitions. LMCS 9(3) (2013) 

17. Mpgelberg, R.E.: A type theory for productive coprogramming via guarded recur¬ 
sion. In: CSL-LICS (2014) 

18. Nakano, H.: A modality for recursion. In: LICS. pp. 255-266 (2000) 

19. Prawitz, D.: Natural Deduction: A Proof-Theoretical Study. Dover Publ. (1965) 

20. Rutten, J.J.M.M.: Behavioural differential equations: A coinductive calculus of 
streams, automata, and power series. Theor. Comput. Sci. 308(1-3), 1-53 (2003) 

21. Severi, P.G., de Vries, F.J.J.: Pure type systems with corecursion on streams: from 
finite to infinitary normalisation. In: ICFP. pp. 141-152 (2012) 



16 


A Proofs for Section [3] 

Proof (of Lem. \3.(!\) . By induction on type formation, with ►A case omitted, 
UA a base case, and iia.A considered only where a is not free in A. 

Proof (of Lem. \3.^) . By induction on the typing of t. We present the cases 
particular to our calculus. 

nextt: case i = 1 is trivial, [next t[r/a;]] .+i(7)=rP”o|t[r/f]l *+ 1 ( 7 ) = ° 

|t]i+i(|ti]j+i( 7 ),.. .^by induction, which is |nextf]i+i(|ti]i+i( 7 ),...). 

|(prev[y ^ u\.t)[t/x\}i{j) = |prev[27 ^ '«[t/x]].t|i( 7 ), which by definition is 
|t]*+i(|ui[f/f]],( 7 ),...) = [tlz+i([uilz(pili(7), •■•)>•■•) by induction, which is 
|prev[y ^u].tl,[|ti],( 7 ),...). 

|box[j7 ^ ft[t/af]].t]i( 7 )j = |t]j (|ui[t/^]i(7), •. ■), which by induction equals 
Wj (IwiMPi,l*(7), ■)j= Ibox[y ^ u].f],(|tij,(7),.. .)y 

|unboxt[r/£]]i( 7 ) = lt[t/x]li{j)i = Itli(Itili(7)> ■ • Oi by induction, which is 
[unboxt],(|ti]|i( 7 ),...). 

Ml ® U2: case f = 1 is trivial. |(mi ® U2)[r/f]I|j+i(7) = (|Mi[t/'f]]|j+i(7)j) o 
|M 2 [r/f]li+i( 7 ) = (|Mi]|*+i(|tiI|*+i(7),...)0 o |u2li+i(|ti]*+i(7),...), which is 
[mi @M2]^+l([^lli+l(7),•■•)■ 

Proo/ (of Soundness Thm. \3.9\) . We verify the reduction rules of Def.[2^ extend¬ 
ing this to any evaluation context, and to is easy. The product reduction case 
is standard, and function case requires Lem. 13.81 unfold fold is the application of 
mutually inverse arrows. 

|prev[af ■(— t].t]i = |t]|i+i (|ti]i,...). Each tk is closed, so is denoted by an 
arrow from 1 to the constant 5-object |7lfe]|, so by naturality 
But |t]|j+i(|til|^+i,...) = lt[t/x]li+i by Lem.lSSl which is fprev t[t/x]li. 
|prevnextt]i = InextiJ^+i = |t]i. 

|unbox(box[f ^ t].t)]i = (|box[f ^ ■ • •) = 

With ©-reduction, index 1 is trivial. |nextti @ nextt 2 li-i-i = ([nextti]i+i)i o 
Inextfzli-ii = o |fili+i)i o o [tzli-ii = (Pil* o rj), o ^ 2 ]* o rj by 

naturality, which is (piji)* ° ^ 2 !* = ^ 1 ^ 2 !* = o r} = rf®" o |tit 2 li-ii = 

|next(tit2)lj-Hi- 

Proof (of Lem. \ 3.11]) . By induction on the construction of the type A. 

(i) follows with only interesting case the variable case - A cannot be a because 
of the requirement that a be guarded in A. 

(ii) follows with interesting cases: variable case enforces bd{B) = 0; binary 
type-formers x,^ have for example bd(A£;) > bd(7li x 7 I 2 ), so bd(A£i) > bd{B) 
and the induction follows; UA by construction has no free variables. 

Lemma A.l. Lf t ^ u and aRfu then aPft. 

Proof. All cases follow similarly; consider Ai x A 2 . (oi, a2)i?7 implies u 
(^ 1 ,^ 2 ), where this value obeys some property. But then t -w (ti,t 2 ) similarly. 

Lemma A.2. implies r\^^{a)Rf‘t. 




17 


Proof. Cases 1,N are trivial. Case x follows by induction because restrictions 
are defined pointwise. Case follows by induction and the naturality of the 
isomorphism h. Case UA follows because r|*^^(a) = a. 

For A ^ B take j <i and a'Rfu. By the downwards closure in the definition 
of we have fj{a')Rf s[u/x\. But fj = (/))j■ 

With ►A, case f = 1 is trivial, so take i = j + 1. aR^_^ 2 't means t -w nextu 
and aRf^^u, so by induction (a)i?^u, so r^*^f^{a)R-^u as required. 

Lemma A.3. If aRft and A is constant, then aR^t for all j. 

Proof. Easy induction on types, ignoring ►A and treating MA as a base case. 

We finally turn to the proof of the Fundamental Lemma. 

Proof (of Lem. 1,9. 7, 9|) . By induction on the typing P \- t : A. (),zero cases are 
trivial, and (ui, U 2 ), fold t cases follow by easy induction. 

succ: If t[t/x] reduces to succ* zero for some I then succt[t/a:] reduces to 
succ*’*'^ zero, as we may reduce under the succ. 

TTdt: If mi{d)Rf^^^^t[t/x\ then t[t/x\ {ui,U 2 ) and Ud is related to the 
d’th projection of |t]i(d). But then TTd{ui,U 2 ) >—>■ Ud, so Lem. lA.II 

completes the case. 

Xx.t: Taking j < i and aRfu, we must show that \Xx.t\i{d)j{a)Rft\t/x\[u/x\. 
The left hand side is |t]j(d tj, a). For each k, Ok \j Rf'‘tk by Lem. IA.21 and 
induction completes the case. 

U 1 U 2 '. By induction ui[t/x\ Xx.s and \ui'lk{d)k{\u 2 \k{d))Rf s[u 2 [t/x\/x\. 
Now (U 1 U 2 ) {Xx.s){u 2 [t/x\) I—>■ s\u 2 \t/x\/x], and Lem. lAll completes. 

unfold t: we reduce under unfold, then reduce unfold fold, then use Lem. ETTl 
nextt: Trivial for index 1. For f j + I, if each akPffitk then by Lem. IA.2I 

r}f^*‘^{ak)Rf*"tk. Then by induction |t]j o (a)R^t[t/x\, whose left 

side is by naturality = [next%+i(d). 

prev[y c- u].t: luk\i{a)Rf’‘Uk[t/x\ by induction, so luk\i{a)Rfjf^Uk[t/x\ by 
Lem. IA.3I Then |i]i+i(|ui]i(d),.. .)i?^t[ui[t/x]/j/i,...] by induction, so we 
have t[ui[t/x\/yi,...] nexts with |t|i+i(|ui|fc(d),.. .)i?fs. The left hand 
side is |prev[y •(— ■u].t]i(d), while prev[y t— u[t/x\[.t ^ prevt['Ui[t/af]/j/i,...] ^ 
prev next s 1 -^ s, so Lem. |AT] completes. 

box[y •(— u\.t: To show |box[y t— hox[y •<— u\.t)[t/x\, we observe 

that the right hand side reduces in one step to boxt[iti[t/ii’]/i/i,...]. The j’th 
element of the left hand side is |7lj(|uilfc(d),. • .)• We need to show this is related 
by Rf to t[ui[t/x\/yi ,...]; this follows by Lem. lA.Sl and induction. 

unboxt: By induction t[t/x] box it, so unboxt[t/a;] unbox box it 1 —>■ it. By 
induction |i]i(d)ii?^u, so |unboxt|i(d)i?^u, and Lem. lA.ll completes. 

iti ® U 2 : Index 1 is trivial so set i = j + I. |it2]j+i(d)i?^]^it2[7/a:] implies 
U 2 \t/x\ nexts 2 with |it 2 ]j+i(d)i?^S 2 - Similarly iti nextsi and si Xx.s 
with (|ui|j+i(d)j) o \u 2 \j+i{d)R^s[s 2 /x\. The left hand side is exactly |iti ® 
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U 2 \j+i{a). Now ui® U 2 nextsi ® U 2 nextsi ® nextS 2 '->■ next(siS 2 ), and 
S 1 S 2 (Ax.s)s 2 !—>■ s[s 2 /x\, completing the proof. 

B Example Proofs in LgA 

We first record a substitution property of box and prev for later use. 

Lemma B.l. Let Ai,... ,Ak and B be constant types and C any type. If we 
have X : B L t : C and yi : Ak, ■ ■ ■ ,yk ■ Ak t' : B then 

box[a; •(— t'].t =mc ^o-)(.L.t[t'/x\. 

If C = then we also have 

prev [a: ■<— t'].t =d prev 

We can prove the first part of the lemma in the logic, using Prop. 14.21 and the 
/3-rule for box. We can also prove the second part of the lemma for total and 
inhabited types D with the rules we have stated so far using the /3-rule for next. 
For arbitrary D we can prove the lemma using the semantics. 

B.l Acausal Example 

To see that Lob induction can be used to prove properties of recursively defined 
acausal functions we show that for any n : N and any / ; N —>■ N we have 

every2nd (box6. iterate (next /) n) =strs iterate (next /^) n, 

where we write p for \n.f{fn). We first derive the intermediate result 

Vm : N, tl (boxi. iterate (next /) m) =str box t. iterate (next /) (/m), (2) 

by unfolding and applying Prop. 14.31 

tl (box t. iterate (next /) m) = box [s box t. iterate (next /) m]. prev t. tl®(unboxs) 

= box t. prev t. tl®(iterate (next /) m) Ibv Lem. Ii3.1l) 

= box t. prev t. next (iterate (next /) (/ m)) 

— box t. iterate (next /) (/m). 

Now assume 

> (Vn : N, every2nd(box 6. iterate (next /) n) =stri! iterate (next /^) n) , (3) 

then by Lob induction we can derive 

every2nd (box l. iterate (next /) n) 

= n :: next (every2nd (tl (tl (boxt. iterate (next /) n)))) 

= n :: next (every2nd (boxt. iterate (next /) (/ (/ n)))) (by[2]) 

= n :: next (iterate (next /^) (/ (/n))) (by [3] and 

= iterate (next p) n. 
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B.2 Higher-Order Logic Example 

We now prove 

VP, Q : (N ^ 1?), V/ : N ^ N, (Vx : N, P(x) ^ Q(/(x))) 

=^VxS : Str, Pstrs(xs) => (5stre(map®/xs). 

This is a simple property of map®, but the proof shows how the pieces fit together. 
Recall that map® satisfies map®/a:s = /(hd® xs) :: (next(map®/) ® (tl®xs)). We 
prove the property by Lob induction. So let P and Q be predicates on N and 
/ a function on N that satisfies Vx : N, P{x) ^ Q{f{x)). To use Lob induction 
assume 


i>(Vxs : Str, Pstrs(xs) ^ (3strs(map® /xs)) (4) 

and let xs be a stream satisfying Pstr«- Unfolding Pstrs{xs) we get P(hd®xs) 
and lift(nextPstri! ® (tl®xs)) and we need to prove (5(hd®(map® / xs)) and also 
lift(nextQstrs ® (tl®(map®/xs))). The first is easy since (3(hd®(map®/xs)) = 
(3(/(hd® xs)). For the second we have tl®(map®/xs) = next(map®/) @ (tl®xs). 
Since Str is a total and inhabited type there is a stream xs' such that next xs' = 
tl®xs. This gives tl®(map®/xs) = next(map®/xs') and so our desired result 
reduces to lift(next((3strs(map®/xs'))) and lift(nextPstr* @ (tl®xs)) is equivalent 
to lift(next(Pstrs(xs'))). Now lift o next = [> and so what we have to prove is 
i>(Qstrs(map® /a;s')) from i>(Pstrg(xs')), which follows directly from the induction 
hypothesis (|3]). 


C Sums 

This appendix extends Secs. [21 [3] and |4] to add sum types to the gA-calculus. and 
to logic LgX. 

Binary sums in Atkey and McBride [3] come with the type isomorphism 
UA + UB = ■(A + B), but there are not in general terms witnessing this 
isomorphism. Likewise if binary sums are added to our calculus as obvious we 
may define the term 

Ax. box t. case xof xi. ini unboxxi; X 2 . in 2 unboxx 2 : MA + UB —■(A + P) 

but no inverse is definable in general. We believe such a map may be useful 
when working with guarded recursive types involving sum, such as the type of 
potentially infinite lists, and in any case the isomorphism is valid in the topos 
of trees and so it is harmless for us to reflect this in our calculus. We do this via 
a new term-former box^ allowing us to define 

Ax. box^ 6. unboxx : ■(A + B) UA + UB 

This construct may be omitted without effecting the results of this section. 
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Definition C.l (ref. Defs. I2.1ll2.2ll2.3ll2.4ll2.7ll2.8p . gA-terms are given by 
the grammar 


t ::=••• I abortt | | caset of xi.t; a; 2 .t | box'*" cr.t 

where d € {1, 2}, and xi,X 2 are variables. We abbreviate terms with box’*’ as for 
prev and box. 

The reduction rules on closed gX-terms with sums are 

casemdtof xi.ti;x2.t2 td,[t/xd] {d € {1,2}) 

box'*’[af ■<— t].t 1 -^ box^ t[t/x\ {x non-empty) 
box"^ iriif M- irii boxt 

Values are terms of the form 

■■■ I ini t I in2f 

Evaluation contexts are defined by the grammar 

E ::= ■ ■ ■ I abortE | case E of xi.ti; X2.t2 \ hox'^ E 

gA-types for sums are defined inductively by the rules of Fig. O and the new 
typing judgments are given in Fig.\^ where d € {1,2}. 


V h Ai V h Aa 

V h 0 V h j4i -|- A 2 


Fig. 5. Type formation for sums in the gA-calculus 


r\-t-.o 


r^t: Ad 


r h abortt : A 


r \- tr\dt ■. Ai + A2 


F \- t ’. Ai -|- A2 r, xi : Ai \- ti '. A r,X 2 ■ A2 t 2 ’. A 
r h case t of Xl.ti; *2.^2 : A 


Xl . yll, . . . , Xn . Aji h t . 

r tl -. Al • • • r \- tn '. An 
r \- box'*')®! ^ tl, . . . ,Xn •<— tn].t : ■Bl + UB 2 


An constant 


Fig. 6. Typing rules for sums in the gA-calculus 
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We now consider denotational semantics. Note that the initial object of S 
is Z\0 (ref. Def. 13. 2L while binary coproducts in S are defined pointwise. By 
naturality it holds that for any arrow f : X ^ Y + Z and x G X, fi(x) must be 
an element of the same side of the sum for all i. 

Definition C.2 (ref. Defs. [373ll3.7|) . 

— |0]| is the constant functor A%; 

— |Ai + ^21(1^) = [^il(^) + [^ 2 l(lh^) and likewise for S-arrows. 

Term-formers for sums are intepreted via S-coproducts, with abort, in^ and 
case defined as usual, and box^ defined as follows. 

— Let |t]j (|ti]i(7), ■ • ■, Pnlz(7)) (which is well-defined by Lem. \3. dl) he [aj,d] 
as j ranges, recalling that d G {1,2} is the same for all i. Define a : 1 —^ I^dl 
to have j’th element aj. Then |box~'’[x ■<— t].t|i(7) = 

We now proceed to the sum cases of our proofs. 

Proof (box^[y ^ u].t case of Lem. \S.8\) . By induction we have |'U/c[t/il]]i( 7 ) = 
Kl*([iil*(7),---)- Hence |t]j(|ui[r/f]|i( 7 ),...) = |%(|ui|*(pi|i( 7 ), 
as required. 

Proof (box^ cases of Soundness Thm. \3.9\) . Because each |A/c| is a constant 
object (Lem. [Sb]), for all i,j. Hence |box'''[x ■«— is defined via 

components Plj(pilj,. •.) and |box^ defined via components p[t/x]]j. 

These are equal by Lem 13.81 

|box^ indt|i is the d’th injection into the function with j’th component |t]j , 
and likewise for |ind boxt|i. 

Definition C.3 (ref. Def. 13.1^ . 

— iff t icdU for d = 1 or 2, and aPf'^u. 

Note that Rf is (necessarily) everywhere empty. 

Proof (for Lems. \A.1\ and IA.2I) . For 0 cases the premise fails so the the lemmas 
are vacuous. + cases follow as for x. 

Proof (ref. Fundamental Lem,m,a \3.13]) . abort: The induction hypothesis states 
that lilk{d)R°t[t/x], but this is not possible, so the theorem holds vacuously, 
in^t case follows by easy induction. 

casetof j/i.ui; y 2 -M 2 : If \t\i{d)Rf^^^'^tif/x\ then t[t/x] in^u for some 
d G {1,2}, with |t]i(d) = [a,d] and aPf'^u. Then ludjiid,a)R^Ud[t/x,u/yd]. 
Now (caset of yi.ui; y 2 -'a 2 )[t/a:] case in^ uof yi.(ui[t/a:]); y 2 -('a 2 [t/a:]), which 

reduces to Ud[t/x,u/yi], and Lem. ETTl completes. 

box+[y 1 - u].t: lukiiid)Rf'‘Uk[t/x] by induction, so lukiiia)Rf'‘Uk[t/x] for 
any j by Lem. IA.3I By induction Plj([ui|/c(d),.. .)Rf^~''^'^t[ui[t/x]/yi ,...]. If 
|t|j(|'«ilfe(d),...) is some [bj,d] we have t[ui[t/x]/yi,...] in^iS with bjR^'^s. 
Now (box'''[y G- u\.t)[t/x] i->- box'*" t[ui[t/af]/j/i,...] -^ box+ in^s, which finally 
reduces to in^ boxs, which yields the result. 
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The logic Lg\ may be extended to sums via the usual /3ry-laws and commuting 
conversions for binary sums and the equational version of the box"^ rule (ref. 
Fig. [31): 

h t : B(j r \~ t : 

r h box^[a: ■(— i\.{\ndt) = in£;(box[af ■<— t\.t) 


D Proof of Definability of Solutions of Behavioural 
Differential Equations in gA 


An equivalent presentation of the topos of trees is as sheaves over ui (with Alexan¬ 
drov topology) Sh (w). In this section it is more convenient to work with sheaves 
than with presheaves because the global sections functor ZB in the sequence of 
adjoints 

ill H Z\ H A 


where 


A : Set —<S 

ill : S Set , r : S ^ Set 

iTi(X)=A(l) A(a)(a) = r ° T(X) = A(a;) 

[ a otherwise 

is just evaluation at w, i.e. the limit is already present. This simplifies notation. 
Another advantage is that ► : 5 —>• 5 is given as 


(►A)(i.+ l)=A(i.) 
(►A)(a)=A(a) 


where a is a limit ordinal (either 0 or ui) which means that ►X(w) = X(u!) and 
as a consequence, next^ = idx(i.j) and /^(►A) = r{X) for any X G S and so 
■ (►A) = BA for any A so we don’t have to deal with mediating isomorphisms. 

First we have a simple statement, but useful later, since it gives us a precise 
goal to prove later when considering the interpretation. 

Lemma D.l. Let X,Y be objects of S. Let F : ► (A^) —)• be a morphism 

in S and F a function in Set from to Suppose that the 

diagram 

^(►(A^)) - riF) - > r{Y^) 


lim lim 


A(a;)^(‘^) - F -^ Y{oj)^<~‘^'> 


^ This standard notation for this functor shonld not to be confused with our notation 
for typing contexts. 
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where lim commutes. By Banach’s fixed point theorem F has a 

unique fixed point, say m : 1 —> . 

Then lim(/^('u)(*)) = lim(/^(next o u){*)) = r{next o ■u)(*)^ = Uui{*)ui is a 
fixed point of F. 

Proof. The proof is trivial. 

F (lim(F(M)(*))) = lim(F(F)(F(next o «)(*))) 

= lim(F(F o next o m)(*)) = lim(F(M)(*)). 

Note that lim is not an isomorphism. There are (in general) many more 
functions from X{u}) to Y (w) than those that arise from natural transformations. 
The ones that arise from natural transformations are the non-expansive ones. 

D.l Behavioural Differential Equations 

Let Sa be a signature of function symbols with two types, A and Str. Suppose 
we wish to define a new fc-ary operation given the signature Sa- We need to 
provide two terms hf and tf (standing for head and tail), hf has to be a term 
using function symbols in signature Sa and have type 

xi : A,X2 ■ A, ■ ■ ■ ,Xk ■ A\- hf : A 

and tf has to be a term in the signature extended with a new function symbol 
/ of type (Str)^ —s- Str and have type 

xi : A, - ■ ■ ,Xk ■■ A,yi : Str, • • • ,yk : Str, zi : Str, • • • ,Zfe : Str h t/ : Str 

In the second term the variables x (intuitively) denote the head elements of the 
streams, the variables y denote the streams, and the variables z denote the tails 
of the streams. 

We now define two interpretations oi hf and tf. First in the topos of trees 
and then in Set. 

We choose a set a G Set and define = A{a) and |Str]|^ = yX.A{a) x 
► (X). To each function symbol g € S of type ri,... ,t„ —>■ r„+i we assign a 
morphism 

I 5 I 5 : IfIs X |t 2]5 X • • • X |r„l5 -)> It„+i]|5 . 

Then we define the interpretation of hf by induction as a morphism of type 

Ms 

fXzJs = TT* 

lg{ti,t 2 ,..., t „)]5 = o (|ti]|^ , , • • • , ftnls) ■ 

For tf we interpret the types and function symbols in Sa in the same way. But 
recall that tf also contains a function symbol /. So the denotation of tf will be 
a morphism with the following type 

: ► (iStrjf X X [Strl^ x (► (IStrl^))'^ .-([Strl^) 
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and is defined as follows 

= next o io TT^. 
lyi]^ = next o TTy, 

I^ils = 

lg{h,t 2 , ..., t„)l 5 = o can o (|ti]|^ , ( 12 ^^ ,■■■ , I^nl^) if 5 / 

|/(ti, t2, • ■ •, tk)ls = eval o (J o TTf, can o , • •' , {tkls)) 

where can is the canonical isomorphism witnessing that ► preserves products, 
eval is the evaluation map and l is the suitably encoded morphism that when 
given a constructs the stream with head a and tail all zeros. This exists and is 
easy to construct. 

Next we define the denotation of hy and t/ in Set. We set = a 

and |Str]gg^ = |Str]|^ (w). For each function symbol in we define Ifflget = 

ryis = 

We then define |h/]gg^ as a function 

1^1 Lt I^Iset 

exactly the same as we dehned |h/]^. 

1^*1 Set “ 

Iff(fl) ^2, ■ • ■ 5 fn)lset = Mset ° (Pllset > I^2]set ; ' ' ' i Prilget) ’ 

The denotation of t/ is somewhat different in the way that we do not guard 
the tail and the function being defined with a ►. We define 

Idlset : X X [Strl^^, x ([Strlg^j'^ ^ [Strlg^, 

as follows 


la^ilset 
l2/ilset = 

I^dset = 

■ ■ ■ , fn)lset = Mset ° (Pllset > I^zlget 7 ’ ' ' : Pnlset) if 5 / 

|/(tl, t2, • • ■ , ffe)lset = eval O (tT/, (IflJs^t > I^2lset 7 • • • 7 Pfclset)) 


where t is again the same operation, this time on actual streams in Set. 
We then dehne 


£:[StrlP‘;J- 


^ IStrl 


ffStrl 

Set 


k 

Set 


as 


£(</>) (ct) = r (fold) (([h/lg^^, (hd(a)), p/lget (</>> hd((T), ct, tl(CT)))) 
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where hd and tl are head and tail functions (extended in the obvious way to 
tuples). Here fold is the isomorphism witnessing that guarded streams are indeed 
the fixed point of the defining functor. 

Similarly we define 

F : ► (iStrlf ^ IStrlf 
as the exponential transpose A of 

F' = foldo^|h/lo/rdo7r2,It/l5 0 x (hd, idp^j. , tailj> 

Proposition D.2. For the above defined F and F^ we have 

lim or{F) = F o lim 

Proof. Let ^ e F (► = F . We have 

lim(F(F)(0)) = lim (F<^((/))) = F^{(j))^ 

and 

F(lim(</))) =F(().^) 

Now both of these are elements of meaning genuine functions in 

Set, so to show they are equal we use elements. Let a G IStrJg^^. 

We are then required to show 

F{(j)uj) ( it ) = F^{(j))^{d) 

Recall that F = A{F') (exponential transpose) so F^{<P)u:{(t) = F^{<p,(7). Now 
recall that composition in S is just composition of functions at each stage and 
products in <S are defined pointwise and that next^^ is the identity function. 

Moreover, the morphism hd gets mapped by F to hd in Set and the same 
holds for tl. For the latter it is important that F(^(X)) = r{X) for any X. 

We thus get 

= fold^ ((I^/ls)-^ (hd(CT)), (P/ls)^ (((),hd(CT),a,tl(CT))) 

And for F ((/)^) (ct) we have 

Fifiu,) (ct) = fold^ (IMset (hd (ct)) , (Mset) (</><^>hd(CT),CT,tl(a))) 

It is now easy to see that these two are equal. The proof is by induction on the 
structure of h/ and tf. The variable cases are trivial, but crucially use the fact 
that next^j is the identity. The cases for function symbols in Sa are trivial since 
their denotations in Set are defined to be the correct ones. The case for / goes 
through similarly since application at w only uses (j) ai tv. 
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Theorem D.3. Let {Si, E 2 ) he a signature and I its interpretation. Let {hf,tf) 
be a behavioural differential equation defining a k-ary function f using function 
symbols in S. The right-hand sides of hf and tf define a term of type 

: ►( Str^ ^ Str^ ^ ■ Str^j —( Str^ —>■ Str^ —>•■■■ Str^J . 

fc+i fe+i 


and a term Pf of type 

<Pf : (Str Str -> • • • Str) (Str Str -> • • • Str). 

fe +1 fe +1 

by using HgS {I{gj)) for interpretations of function symbols gj. 

Let /® = fix^® he the fixed point of Then f = £fc(box/s) is a fixed point 
of Pf which in turn implies that it satisfies equations hf and tf. 

Proof. Use Prop. ID. 21 together with Lemma ID. II together with the observation 
that Set is a full subcategory of S with A being the inclusion. 

We also use the fact that for a closed term u : A ^ B (which is interpreted 
as a morphism from 1 to B^) the denotation of C{u) at stage v and argument 
* is lim(U(u)(*)). 


D.2 Discussion 

What we have shown is that for each behavioural differential equation that 
defines a function on streams and can he specified as a standalone function de¬ 
pending only on previously defined functions, i.e. it is not defined mutually with 
some other function, there is a fixed point. It is straightforward to extend to 
mutually recursive definitions by defining a product of functions in the same 
way as we did for a single function, but notationally this gets quite heavy. 

More importantly, suppose we start by defining an operation / on streams 
first, and the only function symbols in Sa operate on A, i.e. all have type A^ ^ A 
for some k. Assume that these function symbols are given denotations in S as 
A{g) for some function g in Set. Then the denotation in Set is just g. 

The fixed point f in S is then a morphism from 1 to the suitable exponential. 
Let / be the uncurrying of /. Then lim(T(/)(=i=)) = T(/). 

Thus if we continue defining new functions which use /, we then choose / as 
the denotation of the function symbol /. The property lim(U(u)(*)) = r{f) then 
says that the / that is used in the definition is the / that was defined previously. 

E About Total and Inhabited Types 

An object in S is total and inhabited if all components are non-empty and all 
restriction functions are surjective. We have the following easy proposition. 
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Proposition E.l. Let P : S ^ S be a functor sueh that if X is a total and 
inhabited object, so is P{X), i.e. P restricts to the full subcategory of total and 
inhabited objects. 

If P is locally contractive then its fixed point is total and inhabited. 

Proof. We use the equivalence between the full subcategory tiS of S of total and 
inhabited objects and the category of complete bisected non-empty ultrametric 
spaces M.. We know that the category Ai is an M-categorjH and thus so is tiS. 
It is easy to see that locally contractive functors in S are locally contractive in 
the M-category sense. Hence if P is locally contractive and restricts to US its 
fixed point is in tiS. 

Corollary E.2. Let P be a non-zero polynomial functor whose coefficients and 
exponents are total and inhabited. The functor P o p- is locally contractive and 
its unique fixed point is total and inhabited. 

Proof. Products and non-empty coproducts of total and inhabited objects are 
total and inhabited. Similarly, if X and Y are total and inhabited, so is X^ . So 
any non-zero polynomial functor P whose coefficients are all total and inhabited 
restricts to tiS. The functor ► restricts to US as well (but note that it does not 
restrict to the subcategory of total objects tS). Polynomial functors on S are 
also strong and so the functor P o ► is locally contractive. Hence by Prop. IE.11 
its unique fixed point is a total and inhabited object. 

In particular guarded streams of any total inhabited type themselves form a 
total and inhabited type. 


^ Birkedal, L., Stpvring, K., Thamsborg, J.: The category-theoretic solution of recur¬ 
sive metric-space equations. Theor. Comput. Sci. 411(47), 4102-4122 (2010) 



